Security is always too much, until it's not enough ...



Consideration of a

“Hot-Site” for Business Continuity Operations

Brian Disorbo

Stafford, VA

Southwestern College

Abstract

Hurricanes, floods, tornadoes, fires, earthquakes, foreign terrorist attacks, home grown terrorist attacks, and other unforeseen incidents highlight the need for a business unit to be readily prepared to carry on operations in their aftermath. As such, the PM-CISS Security Manager has chosen to research, and produce this document in an effort to illuminate the need for PM-CISS to create a “hot-site” for business continuity purposes. A “hot-site” is, “a remote location with systems identical or similar to a home site for use after a disaster” (Whitman, 2010). The creation of a “hot-site” ensures PM-CISS has a secure operating location to carry forward its mission.

Introduction

“Eleven years removed from the devastating attacks of September 11, 2001, domestic security concerns have returned to a minor footnote as Americans go about their daily business. Recent discussions of U.S. defensive insulation from extremist militant violence largely center around protection for our diplomats abroad, not the U.S. homeland proper. However, it is important that we do not forget the collective sentiment of fear and uncertainty that swept the country following 9/11 (Chodkowski, 2012).

It stands to reason that another 9/11type of attack is likely to occur within the United States, it is a question of when versus if. Given the close proximity of the PM-CISS office to the nation’s capital, it is prudent to consider the effects a large-scale attack would have on the immediate work location. While a “direct hit” may not be inevitable, it should be taken under consideration, as well as the possibility for a large scale attack in the immediate area of the PM-CISS office location. Taking that into account, the crime scene and investigation can feasibly take months to complete and only then can the cleanup of the disaster site begin. Any of the above scenarios would impact PM-CISS’ ability to carry out its assigned mission for an extended period of time, and that is simply not an option for any organization, especially one charged with equipping out nation’s SOF warriors.

This paper outlines the steps needed for PM-CISS to establish what is known as a “hot-site”, and incorporates the associated operating cost per annum for three facilities that should be taken under consideration for this project. Disaster recovery and business continuity are essential in today’s business world, and while the organization has both business continuity and disaster recovery plans in place, it simply may not be enough to ensure effective program management and customer support will carry on in the face of a disaster.

Defining the Problem

As chartered, PM-CISS is responsible to the Program Executive Officer - Special Operations Research, Development, and Acquisition Center (SORDAC) for the rapid acquisition and delivery of Special Operation Forces (SOF) peculiar kit to the warfighter.

As currently situated, in the face of an adverse situation, PM-CISS does not have the ability to carry on its chartered objectives of, “1) Delivering capability to the user expeditiously; 2) Exploiting proven techniques and methods; 3) Keeping Warfighters involved throughout the process; and 4) Taking risk and managing it” (United States Special Operations Command). There is an emergency action plan (EAP) in place, it directly relates to the protection of paper/electronics/equipment, not long-term damage to the facility itself. The EAP simply outlines a short-term plan for housing the aforementioned and personnel but does not lend itself to a long-term solution.

Given the sensitivity of the information PM-CISS works with, a long and enduring solution is needed in order for the organization to carry on its mission unimpeded. This is ideally where a “hot-site” would beneficial to the organization wholly.

A “hot-site” is the most beneficial, yet expensive alternative for the Program Manager (PM) to consider, but given the distinct advantage it lends over a “warm” or “cold” site, I believe it to be the best alternative with regard to continuity of operations.

Further, given the fact the PM-CISS customer base is widely distributed throughout the United States and electronic communication is the preferred method of transmitting information, not having a back-up location would certainly drive business away and from the PMs portfolio and place the burden of executing PM-CISS’ mission on another SORDAC program management office (PMO).

Hot, Warm, Cold Sites

“September 11 reminded us of the importance of geographic diversification, both from a technology perspective and a business unit perspective. Our current configuration is designed to enable our key business operations to continue in the event of a disaster without loss of service to our clients” (Henne, 2007). This statement is in direct relation to the devastating effects the tragedy of 9/11 had on the Bank of New York’s business operations.

A “hot-site” is, “a remote location with systems identical or similar to a home site for use after a disaster” (Whitman, 2010). The distinct advantage of a “hot-site” is the fact, in the face of a diverse situation impacting our primary operating location; the entire PMO can report to the site immediately following an adverse event and immediately start working. The facility will be equipped with all of the I.T. assets we have at our primary work location to include all of the LANs (classified included), phones (classified included), printers/scanners and commensurate amount of workspaces the current office employs. It is a mirror, technology-wise, of our current office set-up and can be activated in minutes or hours. Further, I.T. support functions would default to our supporting I.T. element. Preliminary discussions with the directorate of command, control, communications and computers (DC4) indicate they are is willing to lend support in the form of one, full-time, I.T. specialist handling any issues that may arise with the installed I.T. assets to include updates all of the systems during the initial site activation. All told considering this ensure “zero” mission impact.

A “warm-site”, is defined as “An alternate site that can be used by an organization if a disaster occurs at the home site. Frequently includes computing equipment and peripherals with servers but not client workstations” (Whitman, 2010). The obvious drawback to a warm site is the fact it has no workstations installed, and in this particular case, without workstations there would be no classified telephones at the onset of activation operations. Based on discussions with DC4, it would take a minimum of 96 hours (maximum of 144) to get the site fully operational to installing all six LANs at each workstation and all three phone systems at each workstation. This would impact the mission at the onset, perhaps for a week at most, but once the workstations were installed and the phone systems operational the site would function in the same fashion as our current operating location. This alternative is less expensive than a hot-site, but as illustrated above there is a tradeoff between the two. Next is the final option, that of the “cold-site”.

A cold-site is defined as, “An alternate site that can be used by an organization if a distaster occurs at the home site. Contains rudementary services and facilities” (Whitman, 2010). In a basic sense, a cold site simply offers open floor space, air conditioning, heating and electrical service and nothing more. There is no computing equipment, servers or peripherals, telephones, workstations or network drops. Through conversation with DC4, it would take upwards of two and half to three weeks to get full computer services up and running due to the sheer amount of infrastructure that would need to be ran and installed. DC4 also could not guarentee they would have enough resources (computer terminals, monitors/dual monitors, scanners, printers telephones and secure telephones) to fully outfit the office. This means the command section would more than likely be fully equipped, and the remainder of equipment would be configured based on mission needs per employee. It is not an ideal situation but would work if the situation dictated. From the three options listed, it is this security professionals opinion that a cold site she taken off the table completely as it is not a suitable alternative due to time the constraints associated with the start up time immediately proceeding a disaster. As outlined in an Italian study regarding buiness continuity plan during disaster recovery (DR) operations, “...businesses interested in implementing a DR Plan have many options available which include “hot-site”s, private “hot-site”s, warm sites, service bureaus, and reciprocal agreements. These can be used to provide partial disaster recovery to the decentralized, often downsized users on a service bureau basis. This essentially means to use third-party disaster recovery plans providers through contracts for hot-site facilities where organizations can temporarily continue their computing operations until their systems are restored. This fact is supported by the empirical evidence that more organizations are beginning to outsource specific IS functions that historically have been retained in-house, such as disaster recovery planning and data entry” (Banks & study, 1999). By the letter of the case study strong evidence points to the fact that “blending” in with another business, or “third party”, would be an ideal alternative. In most cases this would be completely true, but as a geographically seperated unit, PM-CISS has no other operating partners in the National Capitol Region (NCR), as such it would be nearly impossible to integrate our mission with another organization in the NCR.

Responsibilities

In the immediate period proceeding a disaster an initial assessment of the primary operating location will be made by both the PM and DPM to make a decision on whether or not to proceed with activating the alternate operating location. Things that should be taken into account when making this assessment are overall damage and livability of the primary location (life safety) whether or not the physical protection systems are operational, and state of network security. If any of the above has been compromised activating the alternate location should strongly be considered.

Once the all clear has been given the PM will initiate a pyramid style recall with all active duty personnel, the DPM will initiate a pyramid style recall with all DoD civilians and the contractor site-lead will initiate a pyramid style recall with all contractor personnel. Once complete, accountability metrics will be forwarded to the PM and up to the PEO. Information gathered during this recall will include whether any personal hardships have resulted from the disaster, whether or not individual assistance is needed and the earliest members would be able to report for work.

It is the chief responsibility of the Security Manager/SSO, to ensure all physical protection systems are maintained and operational. This will be accomplished through monthly walkthroughs of the alternate site and will include, at least quarterly, alarm testing and police response. Given the nature of the mission systems PM-CISS works across ensuing the physical protection systems are operating and that site security is meeting the spirit and intent of Department of Defense, Intelligence Community Directives, Air Force/SOCOM regulations and of course, the accreditation authority, is absolutely paramount. Should the alternate site be activated security should already be operating flawlessly.

The onus falls on each individual member to learn safe routes to and from the alternate operating location, security procedures (will be trained) and to ensure the proper credentials are carried at all times. As this is an alternate site physical security will mirror that of the home site, but the badging convention and actual security equipment may be slightly different.

Prospective Facilities

A cost analysis was completed of three facilities with adequate space and landlords that will allow for renovations that bring the facilities up to the needed standards, if not already suitable.

[pic]

Facility 1 is located in Crystal City, VA. While it is the most expensive of all of the current options, it is also the most well equipped to accept the PM-CISS mission. It boasts 4,700 square feet of undivided floor space, 5 individual offices, and a conference room with secure video teleconferencing capability (VTC). There is a robust I.T. infrastructure in place, and DC4 states getting the area mission ready would take approximately four days. The Defense Intelligence Agency (DIA) also previously accredited the space as a Sensitive Compartmented Information Facility (SCIF). In order to ensure the space is still within standards, the PM-CISS Security Manager/SSO would conduct a run a full fixed facility checklist and correct any deficiencies found. Included in the overall cost are armed guard services, utilities, alarm service, and trunked telephone service. This site would be the least expensive to get up and running and to maintain. Given the fact this space is co-located with an organization that does similar work it seems this facility is a natural fit for the mission PM-CISS carries forward.

[pic]

Facility 2 is located in Arlington, VA. It is the second most expensive of the sites surveyed and researched. This particular space offers 4,000 square feet of divided floor space, 3 individual offices, and a mid-size conference room capable of unclassified secure video teleconferencing capability. The major source of cost for this facility is going to be construction costs associated with the preparing the space to become a fully operational SCIF. Based on past experience it would cost approximately $100k to bring an area this size up to the Technical Specifications of Intelligence Community Directive 705, Physical Security Standards for Sensitive Compartmented Information Facilities. A few basics that need to be addressed are the lack of double drywall, no expanded metal in the walls, walls that are not true floor to true ceiling and no solid core doors. Again, based on past experience construction would take approximately 4 months. All in all this would be a good alternative to the Facility 1, and is not completely cost prohibitive. DC4 states that equipping the facility for secure VTCs is possible with a little work and associated cost. The I.T. infrastructure is minimal and DC4 states, once construction is complete, getting the area mission ready would take approximately 20 days. All in all this would be a good alternative to the Facility 1, and is not completely cost prohibitive. Included in the overall cost are unarmed guard services (this may void the ability for open storage), utilities and telephone service. The site hosts several small entities, two of which host classified missions. The risk associated with this site would be slightly increased and a counterintelligence survey would need to be completed in order to get a full-scale threat assessment of the area.

[pic]

Facility 3 is located in Chantilly, VA. It is the least expensive of the sites surveyed. This space offers 3,200 square feet floor space, 3 individual offices, and a small conference room capable of unclassified secure video teleconferencing capability. The major source of cost for this facility is going to be construction costs associated with the preparing the space to become a fully operational SCIF. Based on past experience it would cost approximately $$75k to bring the area into compliance with Technical Specifications of Intelligence Community Directive 705, Physical Security Standards for Sensitive Compartmented Information Facilities. A few basics that need to be addressed are the lack of double drywall, no expanded metal in the walls, walls that are not true floor to true ceiling and no solid core doors. Based on past experience construction would take approximately 3 months. While suitable to the needs of PM-CISS, the space is actually a bit on the small side, compared to the other operating locations, but does fill the need.

DC4 states that equipping the facility for secure VTCs is possible with a little work and associated cost. The I.T. infrastructure is minimal and DC4 states, once construction is complete, getting the area mission ready would take approximately 20 days. All in all this would be a good alternative to the Facility 1, and is not completely cost prohibitive. Guard service, utilities, and phone service, are all responsibilities encumbered upon the occupant of the space which will drive up the over all annual operating cost. Also, the lack of guard services will also drive up the annual operating cost. The site hosts several small entities, one of which is a wholly owned foreign business whose office space boarders the northern most wall of the space we would occupy. The balance of occupants includes a real estate company, computer Start-up Company, and a textile importer/exporter. The risk associated with this site is “high” and a counterintelligence survey would need to be completed in order to get a full-scale threat assessment of the area.

Policy

Paragraph two of Intelligence Community Directive (ICD) 705, Physical Security Standards for Sensitive Compartmented Information Facilities, states, “All SCIFs shall comply with uniform security requirements. The Deputy Director of National Intelligence for Policy, Plans, and Requirements (DDNUPPR) shall issue an IC Standard(s) establishing these requirements no later than 90 days after the effective date of this Directive. The IC Standard(s) shall include, but is not limited to, risk mitigation factors, and specific categories and uses of SCIFs” (Intelligence, 2010). Paragraph three states, “ All SCIFs shall be accredited prior to being used for the processing, storage, use, or discussion of SCI. IC elements may continue to operate SCIFs accredited as of the effective date of this Directive in accordance with physical and technical security requirements applicable at the time of the most recent accreditation or re-accreditation of a given SCIF. IC elements shall ensure that upon re-accreditation a given SCIF is compliant with the current uniform security requirements, unless the IC element head grants a waiver in accordance with section D .5 of this Directive. The DDNUPPR shall issue an 1C Standard(s) on SCIF accreditation, re-accreditation, and de-accreditation no later than 90 days after the effective date of this Directive” (Intelligence, 2010).

Given the language of the ICD, retrofitting or upgrading existing SCIFs in any of the proposed facilities, that were not built and accredited to the ICD 705 standard, will incur additional cost as the previous standard (Director of Central Intelligence Directive 6/4) has been superseded. It also states that uniform security requirements shall be established. This is an across the board requirement that is aimed at improving reciprocity across the Intelligence Community. For the most part, if a SCIF has been accredited under the ICD 705 standard, a co-use agreement is typically enough to allow another entity to operate within the accredited space, regardless of the organization or government affiliation (DoD vs. CIA, FBI etc.). In addition to the rules governing the protection of SCI information all of the rules governing the protection of collateral (secret/top secret) information will remain relevant and binding to all organizational members occupying the alternate work location. As such, the PM-CISS security manager is charged with penning a security standard operating procedure specifically geared for the alternate location that outlines security requirements and ensure all members of the organization are briefed and fully understand the policy.

Physical protection systems (PPS) will be to the standards outlined in the ICD and will not deviate, without a waiver from the accreditation authority, without good cause. At a minimum the site will incorporate solid core doors, proximity badge readers, badge +PIN readers, passive infrared detectors arranged for maximum coverage of all floor space, and window break sensors if the facility is less than 18ft. above the ground. Further, as the sites surveyed were not located on a DoD installation it is important to note that an Underwriters Laboratories 5020 standard certification should be pursued.

A brief history of UL 2050 to give context to the requirement:

“In 1993, the United States Department of Defense developed a set of standards and guidelines for securing its classified material, information, and equipment to be developed, stored, or maintained by a government contractor. Specifically, these standards were laid out in something called the National Industrial Security Program Operating Manual or NISPOM. This meant that in order to do work for the DOD, every contractor’s facility needed to meet these particular standards and procedures.

Around the same time, an independent organization called Underwriters Laboratories developed a set of standards that would meet and often surpass the standards laid out in the NISPOM. The result was Underwriters Laboratories 2050 or UL 2050. 2050 has no particular meaning except it’s how UL refers to this specific level of security. The DOD recognizes UL’s meticulous standards and UL, in turn, is authorized to certify security companies to create, monitor, and inspect Sensitive Compartmented Information Facilities or SCIFs” (Security Integration, 2011).

Further, all server rooms and communication closets will be secured with high security locks of the “X0” type, will be equipped with balanced magnetic switches and will require active alarms to be placed into “safe mode” prior to entering. Also, control panels will be located within the SCIF as a means of additional security.

Testing

If this project is approved and a site is selected it is imperative that testing is conducted at a minimum of annually. As Contingency Planner Don Edwards learned,

“We, as Contingency Planners, found that we were not backing up all the datasets necessary to recover from a complete destruction scenario. We also found that some of the so-called standards that existed for years were not necessarily being used by the development staff. Most of our application rerun documentation relied upon datasets that existed on DASD, but they were not backed up to tape. We also found that human error becomes an all too frequent enemy that can cause an entire test to fail; not to mention what might happen in an actual emergency. We learned the extreme differences between tests involving one team working single shifts over several days and several teams working continuously for 48 or more hours. And most importantly, we learned that the worst four-letter word in a Contingency Planner’s vocabulary was “assume”” (Edwards, 1997).

There is little doubt that there are challenges and a lot of logistical challenges related to the successful creation, activiation and operation of a “hot-site”, but there are plenty of “lessons learned” scenarios that can be leveraged to ensure PM-CISS does not repeat the same types of mistakes. Testing is the first step once infrastructure is put in place and has been declared operational. Testing should consist of a “full-scale” operational workup. Every system should be tested for functionality, connectivity, updates, and security abd should vary in length. Actually exercising the “hot-site” for an extended period of time ensures that all of the systems will operate and employee’s will know exactly what to do should activation become immenant. Also, as Mr. Edwards mentioned, we need to ensure that we are backing up all of the relevent datasets so when the day comes that an activation happens there are no missteps; business should continue at the alternate site as if it were the primary.

Testing should also include major command (MAJCOM) sponsored red team testing at least bi-annually to ensure COMPUSEC is effective. The National Security Agency’s Chief Operating Officer for Information Assurance, Mr. Tony Sager says of a red team, “An effective red team needs to be holistic in nature,” he said. “But it also needs to test the people’s security prowess, so having a systems administrator not understand what to do when an incident occurs is just about as bad as the actual malware or the actual attack itself. If they do the wrong thing, it could be more catastrophic than the event itself.” As Mr. Sager relates, red teams are not just there to test to the systems, the red team approach is holistic in nature and test systems and people. It is a good tool to use as a measuring stick and gives PM-CISS and DC4 an overall target to shoot for in the name of solid continuity of business operations.

Summary

It was former Supreme Court Justice William O. Douglas that said, “The search for static security -- in the law and elsewhere -- is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts (Douglas, 2001). This quote is germane to the topic at hand. The point Justice Douglas was conveying is that security, like the law is an organic entity that needs to adapt to the environment and relevant issues; it should not a stationary. Using the valid information, coupled with security assessments, trend analysis, threat analysis, and carefully gathered metrics we can assess our security situation, improve it and mitigate to the best of our ability the loss of business operations as we have done for this paper.

The bottom line is that PM-CISS currently has no alternate work location should the primary site be affected by an unforeseeable event, either manmade or natural. The PM needs to lend serious consideration to optioning an alternate location to house a “hot-site”. Three locations have been explored and ranked in order of consideration based on the I.T. and communication needs of PM-CISS. In the digital communication era losing connectivity for an extended period of time is a sure-fire way to have current and future acquisition efforts languish to the point of cancellation. Hand carrying proposals, statements of work, statements of objectives and contracts has lost favor to means of electronic communication, and rightfully so. Further, hand-carrying information would undoubtedly place a tremendous strain on the PM-CISS, already overtaxed, travel budget and with sequestration on the horizon funds will only get tighter.

This document has been laid out in order to illustrate what a “hot-site” is, to give perspective on what is currently available on the market for facilities and associated cost, what it will take (time-wise) to install the I.T. infrastructure needed to establish the site, relevant security and policy and testing. Ultimately, a “hot-site” is the only real way to ensure business continuity in a post disaster environment. It simply makes good business sense for PM-CISS to consider this as a viable option and move forward with laying the groundwork for the establishment of a “hot-site”.

References:

Banks, M. I., & study, a. c. (1999). Petroni, Alberto. Diaster Prevention Management . Parma, Parma, Italy: Emerald Group Publishing, Limited.

Chodkowski, W. (2012, September 28). Why Hasn't the U.S. Witnessed Another Large-Scale Domestic Terrorist Attack Since 9/11? Retrieved March 22, 2013, from American Security Project:

Edwards, D. (1997). The Contingency Planner. Retrieved March 24, 2013, from The Contingency Planner:

Fryer-Biggs, Z. (2012, June 14). Building Better Cyber Red Teams. Retrieved March 15, 2013, from Defense News:

Gourley, S. R. (No Year Given). PEO SOF Warrior Equipping the SOF Warrior. Retrieved March 22, 2013, from Virtual Online Pubs:

Henne, S. (2007). Business Continuity Takes Center Stage at the Bank of New York. The RMA Journal , 89 (9), 26-27.

Intelligence, O. o. (2010). Intelligence Community Directive Number 705. Washington, DC, USA: U.S. Government.

Security Integration. (2011). Security Integrations. Retrieved March 12, 2013, from UL 2050 Room Certification:

United States Special Operations Command. (n.d.). Our Organization. Retrieved from United States Special Operations Command:

Whitman, M. E. (2010). Management of Informations Security. Boston, MA, USA: Course Technology.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download